Britain takes digital ID out of beta as U.S. lags

British citizens can access tax, pension and drivers licensing information through a single, secure login called GOV.UK Verify. The system is set to exit a public beta and go live the week of May 23.

Under GOV.UK Verify, the U.K. Post Office, the recently privatized Royal Mail, and a host private companies -- including credit bureau Experian, mobile provider Verizon and the bank Barclays -- act as brokers to leverage existing secure credentials for use in governmental transactions.

The shared service credential model is expected to expand across departments in the U.K. to offer citizen access to the full range of government functions.

By contrast, U.S. efforts to provide citizens with a single credential to access government services can be charitably describe as lagging.

The IRS has on its own tried to offer taxpayers access to their prior-year returns using knowledge-based security protocols, resulting in breaches numbering in the hundreds of thousands. The tax agency is going to reboot the Get Transcript tool soon, with tighter security features. Other agencies have their own use-specific logins, but nothing like the overarching access offered by UK.GOV Verify.

It's not for lack of trying.

Until recently, the National Strategy for Trusted Identities in Cyberspace was the main locus of activity on this front. The effort, housed at the National Institute of Standards and Technology, gives grants to private companies and non-profits to run pilots in the establishment of federated identities along the lines of what GOV.UK Verify have achieved, using a mix of commercial and official credentials to confirm individual identities.

Jeremy Grant, who used to head NSTIC, told FCW that the U.K. has the advantage when comes to authority, resources and discipline. The U.K., Grant said, corralled all the efforts into its shared service model, and shut down duplicative programs.

"In the U.S., while the White House indicated that all agencies should use the shared service, there have not been any real consequences for agencies that go their own way," Grant said. "So U.S. efforts depended more on a 'coalition of the willing' when it comes to agencies adopting this approach. And that makes things go slower."

The UK.GOV Verify was also better funded, with five times the spending for a government serving a population one-fifth the size of the U.S.

"This let the [U.K.'s Government Digital Service] team build a very competent, sophisticated, robust operation and solution, and ensured that agencies there weren't scrambling for budget to pay for Verify," Grant said. "In the U.S., a pass the hat approach was taken to fund things, there was no dedicated funding. That set up a very different dynamic." 

The closest thing in the U.S. to UK.GOV Verify is Connect.gov -- imagined as a single log-in to access the range of government services. It was launched as an NSTIC project, and designed as a cloud-based shared service that agencies could sign up to use, essentially as their front door. The Post Office was tapped as a partner in identity proofing, and as a likely hub of any in-person verification activity that had to take place. But the effort, like the British work, was to tap commercial partners.

The project was also seen as the means to accomplish the goals of a 2014 Obama administration executive order that required that "all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate."

The target date for completion set forth in the order was April 17, 2016.

The project seemed to gather steam when the General Services Administration took over the project from NSTIC and issued an RFI to vendors in mid-April 2015, seeking information on a federated digital identity ecosystem.   

According to contracting documents, the Department of Veterans Affairs was planning on consolidating its identity-proofing applications to incorporating the Connect.gov ID. The firm SecureKey had a contract to provide broker hub service, while Verizon and ID.me were providing credentialing services. But the RFI never blossomed into a request for proposals.

The newly enfranchised 18F organization at GSA announced in a May 10 blog post that it had taken the lead, "to tackle the inconsistent, difficult experience that the public has logging in and proving their identity when interacting with the government online."

In the post, 18F said they are taking cues from the lessons learned in the design of GOV.UK Verify.

"This system is designed to be your one account for government…The end goal is a drastic reduction in both the time it takes to accomplish certain tasks and a significant reduction in the amount of paperwork or forms that need to be submitted," according to the blog post.

While 18F says it will build on the foundations of the Connect.gov effort, it appears that the Connect.gov brand will be retired. It's not clear what will become of all the work that private companies put into trying to participate in a federated credentialing ecosystem.

An 18F spokesperson referred an FCW reporter to the blog post for information on this topic, and did not otherwise elaborate.

Grant, who is now a managing director at the Chertoff Group, told FCW that he's hearing from firms that are feeling out of the loop after having "gone through the exhaustive and expensive process GSA established for getting their solutions accredited for government use."  

"The private sector partners are asking whether they are still partners, whether there is still a place for them in this government identity ecosystem," Grant said. "In the UK, they know where they stand; in the U.S., not so much now."

NSTIC and NIST are still in the game. NIST recently posted a pre-draft preview of its updated digital authentication guidelines to GitHub for comment.

"There are many updates to this document that make room for federal agencies to adopt market innovations, leverage the solutions individuals already have, and establish increased global alignment of identity practices," acting NSTIC director Michael Garcia told FCW.  

"Agencies are making great strides, and our pilots have demonstrated secure and interoperable solutions that enhance privacy for individuals while reducing cost for providers, all while improving the digital experience," Garcia said. "We're heartened to see these private sector solutions deployed throughout the marketplace, including across government, and look forward to even more adoption over time." NSTIC continues to coordinate with the U.K. digital service and hopes to build off their work.

But as to a go-live date for a governmentwide digital log-in, that will likely have to wait for the next administration.

While allowing that GSA has its reasons for its new approach, Grant said that the pivot "equates to a conscious decision to push back delivery of a real solution agencies can use to start offering more high value, citizen-facing digital applications."